Tuesday, 19 August 2014

SharePoint 2013 on-prem using Windows Live Id via Azure ACS

Overview: I have a pretty simple requirement to allow users to register on my customers public SharePoint 2013 web sites. I have setup custom providers and thought ACS was going to make me a hero at my client. The whole experience is terrible and I can't see why anyone would use the default of LiveId via ACS due to the implementation.

Opinion: I hate the way ACS works with Windows Live Id, it is so bad I can't see a scenario when a client would use it.

Anyway, I have SP2013 SP1 on-prem and I want to hook at ACS allowing customer to register on the site and get elevate permissions on the site. I'd like them to use multiple 3rd party authentication providers such as Facebook, Windows Live Id, LinkedIn and Google. In my PoC I decide to simply use Live Id as it is the default on ACS and as both services are Microsoft owned it must be the easiest.

I worked thru Wictor Wilem's post series and as usual Wictor has provide a great resource. I had to make minor adjustments to get it to work for me on SP2013 but overall, Wictors series of posts is a good place to start.

The 1st issue I got was when logging in using Windows Live ID, I was continuously redirect back to the /_login/default.aspx page.

After bashing my head trying to figure out what the issue was I realised in Wictor's common issues post in the series, he mentioned the claims mapping/rule needs to be adjusted for Live ID authentication.

I now was getting an access denied, which at least told me the claim was hooking up.

The next issue was now I was getting the message you are not authorised "Sorry, this site hasn't been shared with you."

Give all authenticated users access to the site as shown below.

Once you login you will notice a horrible looking user that is logged in. You can assign permissions using the "Friendly Username".

Common public Federation (IdP) Identifcation provides are:

LiveId (MS - not where you would expect the MS offering to be)

Google (constantly changing - easy hookup)

FaceBook

LinkedIn

Common Enterprise IdP Servers/Services are:

Microsoft ADFS (best default option for greenfield SP)

PingFederate (pretty expensive but a comprehensive solution, use if already in place or the advanced features really suit the business at an enterprise level)

ThinkTextures IdentityServer (Great for customisation, difficult support but for the hardcore tecky type organisation a good option)

CA-SiteMinder (Good product, used in enterprises and hooks up well to SP. Has a large set of tools and options). Update: 19-Nov-2015, seen another large implementation of SiteMinder, it has expensive add-in modules and extremely problematic. SP agent needs AD groups.

RSA Federated Identity Manager (No experience)

Entrust GetAccess (No Experience)

IBM Tivoli (CAM) (Had a hard time with this a few years back)

ComponentSpace (Good for .NET customisations, not a large Federation service Server)

You can do it but you need to write your own identify provider. It is an absolute headache and another service to worry about, so if you really eed LiveID you can use it but it is a lot of work. This post describes getting LiveId to work but with the horrible user ID, this uses: LiveID's Identity provider, ACS and then your SP2013/2010 farm to log you in.

To get LiveID, you need to add another Identity provider/write your own, the process is broser logs into LiveId, redirects to your custom ID provider that will examine the SAML token from LiveID and create another SAML token to pass onto ACS, the custo pprovider can use the LiveId API to get username and other details using the unique horrid Id. You will then make a SAML claim for ACS that includes all your ulled together LiveId properties. Issue is you need to host and setup this custo ID provider that consumes, then looks up the LiveId additional info and then creates the more complete custom LiveId SAMLtoken and pass the browser onto ACS.

You can see that to get it working propery it goes from 3 steps to 4 and this additional step is a fair amount of work and you need to host the High availability service somewhere.